Within each Yubikey are many different chips that are each used by different software for different purposes. There is no definitive "how to set up a Yubikey" document, however there are multiple "How to use a Yubikey to do x" documents online. This is an attempt at consolidating some of the how-tos that are relevant to foxes working for the ShapeShift DAO.

TOTPs (aka 2FA, Google Authenticator, Authy, etc.)

Timed One-Time Passwords (TOTPs) are 6-digit numeric codes that change every 30s. This is a common method of 2FA used by many websites that typically involves scanning a QR code with the Google Authenticator or Authy apps, or typing in a secret code if the QR scan isn't working.

Yubikeys support TOTPs via the Yubico Authenticator app available for most/all major OSes.

<aside> 💡 Whenever any website asks you to set up Google Authenticator you can substitute Yubico Authenticator instead.

</aside>

Setup

1. Download and install the Yubico Authenticator app for your operating system
2. Open Yubico Authenticator
3. Plug in your Yubikey
4. Click the ➕ icon to add a new authenticator
   1. Yubico Authenticator can look for QR codes currently on your screen to fast-track setup.
      • It may need your OS's permission to view the screen to do this
   2. Each authenticator item has 3 pieces of data stored with them:
      • Issuer: this is the name of the website/service that issued the authenticator (i.e. GitHub, Google, etc.)
      • Account Name: this is the account name used on the Issuer's website. (i.e. your email address, username, or other login)
      • Secret Key: this is the authenticator's private key itself (it typically looks like 16 or 32 letters)
   3. It is recommended that you ☑️ the Require Touch checkbox when adding a new authenticator to your Yubikey.

Considerations

<aside> 💡 If someone finds your Yubikey and plugs it in, they can read all of your authenticators unless your Yubikey is password-protected!

</aside>

• You can password-protect your Yubikey by clicking the ... button at the top of Yubico Authenticator
  • The password protects all authenticators added on the Yubikey, and not the Yubico Authenticator app on your machine
  • This password is separate/distinct from GPG PINs and other features available on your Yubikey
  • Be sure to save this password in your password manager so you can't forget it!
    • You are using a password manager, aren't you?!?!
• Once added to Yubico Authenticator, you can never change the Issuer or Account Name. Be sure to doublecheck for typos before adding it to your Yubikey.
  • If you make a mistake, you have to delete it and re-add it.
• You can never read the secret key from a Yubikey. If you want to make a backup of your secret key you have to write it down at the time you add it to Yubico Authenticator.
• The Require Touch checkbox configures the Yubikey to require you to touch it within 30s of requesting a code. This is incredibly effective at preventing malware from retrieving codes from your Yubikey without your permission. To-date, malware has many ways to copy data off of your laptop, but malware still has not found a way to touch your Yubikey over the Internet.
• If someone finds your Yubikey and plugs it in, they can read all of your authenticators unless you password-protected your Yubikey within the Yubico Authenticator app.

GPG Keys